In October 2020, the European Union (EU) published draft legislation to codify how financial firms manage digital risk. Announced as part of the EU’s new Digital Finance Strategy, the proposed Digital Operational Resilience Act (DORA) is designed to “consolidate and upgrade ICT [information and communications technology] risk requirements” across the financial entities to ensure all firms are “subject to a common set of standards to mitigate ICT risks.”
This broad set of rules could affect almost all corners of the financial sector in businesses large and small. For many firms, the proposed legislation may be less burdensome than current requirements and merely solidify current resilience efforts.
What is the Digital Operational Resilience Act (DORA)?
In February 2020 Europe’s systemic risk watchdog warned that a single cyber incident could lead to a systemic crisis that threatens financial stability. As financial firms rely more on their digital systems, the EU decided it should compel firms to ensure those operations are as resilient as possible.
The proposed act covers financial firms of almost all sizes across every sector of the finance industry, from credit institutions and investment funds to crypto-asset service providers. The aim is to create a single legislative act addressing ICT risk in finance across the union. The EU says DORA will reduce regulatory complexity—which is currently spread over regulations such as CRD IV, PSD2, Solvency II, EMIR and MIFID plus local requirements and overseen by a number of different bodies—and lower the financial and administrative burdens caused by the current patchwork of regulations.